StreamArmor 4.1

Scan NTFS drives for Alternate Data Streams

Mike Williams August 29, 2016

Share

Twitter

Facebook

LinkedIn

Google Plus

StreamArmor is a portable application which scans NTFS drives to highlight alternate data streams. This is an NTFS technology which allows malware - or any application - to hide files and data from Explorer and other file management tools.

Getting started is as easy as specifying a drive and clicking "Start Scan". You will have to be patient, though-- the scanning process requires checking every single file, which can take a very long time (several minutes).

StreamArmor displays any discovered streams as it works. Many of these will be entirely legitimate - for example, Internet Explorer uses a "Zone Identifier" to mark files as downloaded from the internet, and stores website favicons in an ADS for their shortcuts - and StreamArmor highlights these in green.

Other streams might be more interesting: they're not of a known type, maybe they contain large amounts of data, executable code or something else unusual. StreamArmor highlights these in other colours and displays them at the top of the list, ready for further investigation.

When we tried this on a test system, the program highlighted two ADS as "dangerous" because they contained executable code. This really means "potentially dangerous" because the program has no way to know whether it's used by a legitimate application or not, but it does need more investigation.

In our case the files had the name "update", and were stored in the folder of a trusted application which had just auto-updated itself. So it looks like this was just some part of the program's regular operations, and nothing to worry about.

To help you diagnose files on your own system, StreamArmor displays their name, path, creation date, stream size and (where known) type. Click on a particular stream and you can also see a hex and decimal view of its first bytes, which might give you some clue what it is.

Verdict

ADS scanners are common, but StreamArmor's portability and "danger ratings" (which help you ignore fluff like IE's Zone Identifiers) make it better than most.